Common types of rootkits include bootkits, firmware rootkits, and memory rootkits. Once installed, a rootkit provides a hacker with an incredible number of weapons with which to wreak havoc on a system and network, often while remaining undetected until it’s too late to stop them. Depending on the rootkit and the hacker, victims can find their messages intercepted, their data stolen, or even their hardware rendered unusable.

When trying to protect yourself and your business from rootkits, it can be important to understand not only the variety of types of rootkits out there but also steps you can take to keep them away from your devices as much as possible and what to do when you find yourself infected. Here then are the most common rootkit threats, followed by some basic rootkit defenses.

Looking for More About Malware? Check Out What is Malware? Definition, Purpose & Common Protections

Bootkit

A bootkit is a type of kernel-mode rootkit that infects the master boot record, volume boot record or boot section during computer startup. Bootloaders are usually launched by a disc, USB drive, or hard drive, which tells the computer where its bootloader program is. A bootkit will then replace the legitimate bootloader with an infected version. The malware loader persists through the transition to protected mode when the kernel has loaded and is thus able to subvert the kernel.

Bootkits can be difficult to detect and drive out, since they won’t typically be found in a user’s file system. Additionally, removal might cause more damage to the computer if the bootkit has already altered the computer’s boot records.

Examples include Olmasco, Rovnix and Stoned Bootkit.

Kernel-mode Rootkit

A kernel-mode rootkit alters components within the computer operating system’s core, known as the kernel. Some of these rootkits resemble device drivers or loadable modules, giving them unrestricted access to the target computer. This also gives them the ability to deftly evade detection by functioning at the same security level as the OS itself.

Because of how deeply embedded kernel-mode rootkits are within a computer’s system, they can be one of the most damaging types of malware out there. Kernel-mode rootkits generally require a high degree of technical competency to utilize. Any bugs or glitches in its programming leaves noticeable trails for antivirus software to track.

Notable examples of kernel-mode rootkits include Knark, Zero Access, Adore, FudModule, Da IOS, and the deliciously-named Spicy Hot Pot.

User-mode Rootkit

Also known as an “application rootkit,” the user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces (APIs). It alters the security subsystem and displays false information to administrators of the target computer. It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services.

Examples of this type of rootkit include Vanquish, Aphex and Hacker Defender.

Virtual Rootkit

A virtual, or hypervisor, rootkit hosts the target OS as a virtual machine, enabling it to intercept hardware calls made by the original OS. The rootkit does not have to modify the kernel to subvert the operating system. This type of rootkit was developed as a proof of concept in 2006, but in 2017, researcher Joseph Connelly designed nested virtual machine rootkit CloudSkulk as part of his Masters degree work at Boise State University. In 2021, Connelly and other researchers presented a new paper outlining an approach to detecting rootkits similar to CloudSkulk.

Need an Edge to Stay Ahead of Hackers? Take a Look at Top Threat Intelligence Platforms for 2022

Firmware Rootkit

A firmware rootkit uses device or platform firmware to create a persistent malware image in the router, network card, hard drive or the basic input/output system (BIOS). The rootkit is able to remain hidden because firmware is not usually inspected for code integrity. These rootkits can be used for semi-legitimate purposes, such as anti-theft technology preinstalled in BIOS images by the vendor, but they can also be exploited by cybercriminals.

Examples include Cloaker and VGA rootkit.

Memory Rootkit

Memory rootkits camouflage themselves within a computer’s random-access memory (RAM). While there, it can severely hamper a device’s performance by consuming massive amounts of RAM resources through its toolbox of malicious programs. This is on top of whatever damage they can deal with said toolbox. Thankfully, memory rootkits are one of the easier types of rootkits to manage, as they’re usually deleted when the infected computer reboots.

Notable Rootkit Incidents

Thanks to the amount of control they can exert over a system and the potential damage they can cause, rootkits are a popular choice for hackers from all walks of life. As such, there have been several incidents where rootkits have been used to inflict massive amounts of harm to devices and networks.

Stuxnet is arguably the most prominent example of rootkits being used for malicious purposes. First discovered in 2010, Stuxnet was used to severely disrupt Iran’s nuclear facilities, apparently in an effort to halt the nation’s development of an atomic bomb. All told, Stuxnet managed to destroy 1,000 of the 6,000 centrifuges Iran was using to enrich its uranium.

Though never formally admitted by either nation, Stuxnet is generally agreed to have been a joint effort between the United States and Israel in an operation codenamed “Olympic Games,” as reported by both The New York Times and The Washington Post.

The ZeroAccess botnet, discovered in 2011, hit systems hard with fraudulent advertising clicks and Bitcoin mining malware, infecting at least 9 million computers worldwide. The bot was spread through the ZeroAccess rootkit, an aggressive and difficult-to-detect kernel-mode rootkit. The rootkit itself was spread through a number of infection vectors, most notably social engineering and exploit packs like Blackhole.

In 2012, cybersecurity experts with Kaspersky Labs announced they had discovered another malicious rootkit used in the Middle East, called Flame. Also known as Flamer or Skywiper, Flame was both a worm and a rootkit, being able to duplicate itself across local networks as well as boasting a diverse software toolkit with which to manipulate infected systems.

Flame’s toolkit allowed it to do things like record audio through system microphones, take screenshots without the user’s knowledge, and transmit stolen data via a covert SSL channel. It could also scan infected computers for antivirus software and alter its behavior to better avoid detection by that software.

Much like with Stuxnet, experts generally agree Flame was developed by or with funding from a nation state, though the identity of that nation has not been determined. The countries most affected by the rootkit were Iran, Israel, Palestine, Sudan, and Syria.

Want to Learn About More Malware Incidents? Take a Look at The History of Computer Viruses & Malware

Ways Rootkits Can Infect Your Device

Rootkits are ultimately a form of malware, and like with other kinds of malware, hackers have a number of ways to inject a rootkit into your device. Thankfully, the most dangerous types of rootkits are also often the most difficult to properly install. Below are some examples of common rootkit infection vectors:

• Boot Installation: Bootkits specifically tend to be installed when an infected device boots up.
• Packaged with Other Malware: Certain types of rootkits, such as user-mode rootkits, often find their way onto computers alongside other pieces of malware, such as through mass spam campaigns.
• “Evil-Maid” Attacks: At times, a hacker or team of hackers might send someone to install a rootkit on an unattended device. You’ll see this version of hacking pop up in movies quite a bit.
• Legitimate Software Programs: Rootkits were originally developed as a relatively innocuous piece of software and as a result might be included in certain legitimate programs.
• Other Common Malware Infection Vectors: From spear phishing to social engineering to just opening an infected document, rootkits are just as able to be slipped onto your device through some of the most common methods of malware infiltration out there.

Want to Learn More About How Malware Can Infect Your Computer? Check Out 8 Ways Malware Creeps Onto Your Device

How to Defend Yourself Against Rootkits

To help you protect yourself from rootkits, we’ll be looking to researchers Eugene E. Schultz and Edward Ray and their chapter of the Information Security Management Handbook, Sixth Edition, Volume 2 for some expert guidance.

Prevention

For prevention, Schultz and Ray recommend that enterprises consider the following measures to prevent rootkit infections:

• Network Security
  • Using intrusion detection and prevention tools such as rootkit scanners
  • Deploying firewalls that can analyze network traffic at the application layer
• Patching and Updating: applying vulnerability patches in a timely manner
• Security Best Practices:
  • Configuring systems according to security guidelines and limiting services that can run on these systems
  • Adhering to the least privilege principle (perhaps with the aid of privileged access management (PAM))
  • Using strong authentication
  • Performing regular security maintenance
  • Limiting the availability of compiler programs that rootkits exploit
• Email security to limit malicious attachments
• Browser security, browser isolation, or DNS security to block malicious websites or limit the reach of malicious files on websites.

Detection

Once a device is infected, the situation gets more complicated. The researchers caution that detecting and removing a rootkit is difficult. However, a rootkit can be detected by trained investigators and analysis tools, such as rootkit scanners, which uncover clues to the presence of the rootkit. Major security firms, such as Symantec, Kaspersky Lab and Intel Security (McAfee), offer rootkit scanners to enterprise customers.

Some of the telltale signs that a rootkit is present include unexplained changes in target systems, strange files in the home directory of root, or unusual network activity.

Cryptographer and computer programmer Thomas Pornin noted that the rootkit needs to maintain an entry path for the attacker, creating an opportunity for detection. In a post on Information Security Stack Exchange, Pornin recommends that IT administrators reboot the computer on a live CD or USB key and then inspect the hard disk. “If the same files do not look identical, when inspected from the outside (the OS booted on a live CD) and from the inside, then this is a rather definite sign of foul play,” he wrote.

Another contributor to the Information Security Stack Exchange who goes by the moniker user2213 explained that another way to detect a rootkit is to use spurious device codes on devices that do not normally respond to the codes. “If you get anything other than the relevant ‘Not implemented’ error code on your system, something strange is going on.”

User2213 also suggested mounting the system drive on a different PC to see if an incorrect filesystem size or unexpected files come up. This could be an indication of a rootkit. “Unfortunately, there aren’t generic red flags for rootkits in general — the battle is more cat-and-mouse,” the writer noted.

Removal

Rootkits’ access to full system privileges makes them incredibly difficult to remove. Schultz and Ray recommend making an image backup and then rebuilding the compromised system using the original installation media; otherwise, the malicious code or unauthorized changes could continue even after the rootkit is “deleted.” Security patches then need to be installed and a vulnerability scan performed.

Conclusion

In sum, the best strategy to deal with rootkit threats is to stop the rootkit from infecting computers in your network through security best practices such as patch management and regular maintenance, and specialized tools such as rootkit scanners and firewalls. Should your computers become infected anyway, you need to rebuild the compromised computer from the ground up to ensure that the rootkit is eradicated.

Looking for More Ways to Keep Your Network Safe? Read Best Enterprise Network Security Tools & Solutions for 2022

NOTE: This article was originally written by Fred Donovan in 2016. It was updated by Zephin Livingston in 2022.

The post Top 6 Rootkit Threats and How to Protect Yourself appeared first on eSecurity Planet.

Email and the Web are the primary vectors for malware to creep into an organization, but there are many other ways. Most of the time, it even happens without the user or IT even knowing. Below we discuss some of the most common ways malware can infect your device — along with security measures you can use to stop it.

If you’ve been hit by malware and are looking for help, see How to Remove Malware: Removal Steps for Windows & Mac.

8 Ways Malware Gets on Your Device

Malvertising

Just by surfing the Web, malware can be injected into a system without clicking on any downloads, plugins or intentionally opening any files. Malvertising is one way hackers accomplish that, by injecting malicious or malware-laden advertisements into legitimate online advertising networks and Web pages.

A particularly dangerous example of this comes in the form of ChromeLoader. ChromeLoader is a piece of malware that can hijack users’ browsers to redirect them to pages full of ads. The malware recently evolved into a more dangerous form thanks to variants that can inject users’ devices with ransomware like Enigma.

A good defense against malvertising is the use of ad blockers on your preferred web browser. While many legitimate websites, such as for digital news, ask users to shut off their ad blockers, a good ad blocker can be an excellent way to filter out a lot of malvertising content. Additionally, enabling click-to-play plugins will block malvertising that uses Java or Flash from playing unless you directly click on them.

Spear Phishing

Spear phishing is one of the most common email attack vectors, where attackers disguise themselves as other employees such as your CEO or legitimate entities in an attempt to steal log-in credentials or trick users into sending money. With spear phishing, hackers target organizations for confidential or highly sensitive data. When aimed at higher-level employees like the CEO, it’s called whaling.

QR codes have become a potent new vector for spear phishing attacks. By embedding a malicious QR code in an otherwise innocuous-looking email, scammers have found another way to trick users into handing over their sensitive information. A 2021 spear phishing campaign spoofed legitimate-looking Microsoft Office 365 emails by offering users a QR code to access missed voicemail messages. When victims used the code, they were taken to a page which asked for their login credentials which were promptly stolen.

Employee training can be a big help when dealing with spear phishing. Good training allows users to better spot some of the hallmarks of spear phishing attempts, such as a sense of urgency in the messages and imitating legitimate email addresses.

Want to Protect Yourself Against Phishing and Other Email Threats? Take a Look at Top Secure Email Gateway Solutions for 2022

Web Trojan Download

A pattern has developed with Chrome extensions, WordPress plugins and the like; software that starts out safe is turned into malware, either through exploitation or a software update. The initial download of the legitimate software is used as a Trojan horse. When a user installs third-party software, it’s impossible for existing security mechanisms to detect if it’s malware or not.

A recent example of this malicious behavior was revealed this year by McAfee, which reported that a number of popular Chrome extensions had potentially infected over 1.4 million users with malicious cookies. These extensions included Netflix Party and Netflix Party 2, a pair of extensions that allowed users to sync up movies and shows on the popular streaming service to watch together.

The primary defense against trojans like these is personal vigilance. Avoid downloading software from unwanted sources. Employee training is a possible method for businesses to upgrade their employees’ cybersecurity vigilance.

Weaponized Documents

PDF and Microsoft Office documents such as Word and PowerPoint permeate the Web. This is something that we don’t often notice – until a critical vulnerability shows up. Popular browsers like Chrome and Firefox contain built-in viewers for PDFs, which enable document viewing to blend seamlessly with the native Web experience. But easy document viewing can come at a price. A simple click, (whether on the Web or in an email), can lead to a document that’s potentially weaponized and laden with malware.

This threat is constantly evolving as well. When Microsoft began blocking macros from running on untrusted files by default, hackers found a way around this by using compression files like .zip, .rar. or .iso to successfully smuggle the malware-laden files onto your device.

Like with trojans, the best defense against these sorts of documents is personal vigilance. Only open documents from trusted sources.

Spoofed Websites

A popular way to inject malware onto devices is by setting up legitimate-looking websites to entice users. This can come in a variety of forms, such as changing a single letter in a legitimate website’s url — often called typosquatting — or copying the website’s entire website design and layout but adding malicious links.

Earlier this year, hackers impersonated the Ghanian Oil Company, also known as GOIL, with a fake website claiming that users were eligible for government fuel subsidies. After filling out a short questionnaire involving questions about GOIL and basic user information like their age, users were asked to select a prize box, with three opportunities to select the correct box with their prize. If successful, users were asked to fill in their address and share the false promotion via WhatsApp in order to receive their prize, completing the phishing attempt. GOIL alerted their customers to these sorts of scams in an August 2022 Facebook post.

The best defense against spoofed websites is personal vigilance. Be aware of where the links you are clicking are sending you and, if the website is impersonating a legitimate entity like the Ghanian Oil Company, try contacting the entity first before clicking on any links related to the suspicious website. A good antivirus program can also help ward off some of the malware found on spoofed websites.

Want to Learn More About How Scammers Are Getting Ahold of Your Data? Check Out The Scammers’ Playbook

Fraudulent Mobile Apps

Much like the malicious Chrome extensions and WordPress plugins mentioned above, mobile apps are a dangerous vector for malware. Whether by impersonating popular apps, implementing hidden ads, keylogging, or other techniques, mobile apps possess a number of methods to infect users’ devices. These sorts of apps are nothing new, however, and they typically don’t end up on the Google Play Store or the Apple App Store, the two most popular app marketplaces.

However, an ad fraud campaign, known as Scylla, had managed to get 80 fraudulent apps onto the Google Play Store and 9 apps onto the Apple App Store, resulting in over 13 million downloads as of this writing. Scylla was first discovered in 2019 but is still ongoing. However, HUMAN Security’s Satori Threat Intelligence and Research Team has been working with Google, Apple, and other relevant parties to disrupt the campaign.

Like other infection vectors that rely on fakery and social engineering, one of the best defenses against fraudulent mobile apps is to remain vigilant. Make sure the apps you download come from legitimate sources and verify with those sources that they are selling this app on the app store. Also, be sure to report fraudulent apps you spot on the store, in order to help protect other users.

Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is what allows two computers to connect with one another via a network. Though developed by Microsoft for Windows, the technology is widely-used and has clients for most popular operating systems, including Linux, MacOS, Android, and iOS.

Unfortunately, RDP is sometimes found vulnerable for exploitation by hackers on older or poorly protected systems, and once they gain access to a computer via RDP, they can inject malware or steal files from the victim’s machine without much trouble.

A growing genre of cybercriminal known as Initial Access Brokers (IABs) have begun making their ill-gotten gains off selling access credentials to RDP and other corporate services like content management systems or company VPNs. These credentials are then used by hackers to implement ransomware attacks on company devices.

RDP, being such a widely and legitimately-used technology, is a difficult infection vector to protect against. However, in cases where hackers are exploiting vulnerabilities on older systems, keeping your system up-to-date will ensure that these vulnerabilities are more difficult to use against you.

Struggling With Ransomware? Check Out Our Guide to the Best Ransomware Removal Tools

Removable Hardware

Finally, removable hardware like flash drives are a viable vector for malware. While remote methods like spear phishing are more common, there is still a danger whenever a user plugs an unknown flash drive into their machine. These flash drives can then inject a variety of malware, such as keyloggers, to get ahold of their data.

If using a device in public spaces, users should also be wary of public USB chargers found at libraries, cafés, or airports, as hackers can utilize these to steal data and infect user devices in a practice known as “juice jacking.”

While simply not plugging unknown flash drives into a device is part of preventing this sort of attack, malware infection via USB is so quick that briefly unattended devices can be vulnerable to attack as well if a hacker is opportunistic enough. When leaving a device unattended in a public space for any reason, we recommend disabling USB ports until you return to your device.

How to Shut Down Attack Vectors

Data breaches and malware attacks are costing enterprises millions of dollars each year, and that number won’t slow down any time soon. Security detection mechanisms look for a finite set of malware patterns, but the number of variations is infinite and impossible to effectively track.

Advanced methods like heuristics, behavioral analytics, or machine learning can detect changes in behavior that can signify malware infection. However, they’re far from foolproof, and infection can still occur even with the best cybersecurity solutions and employee training on the market. For that reason, secure, isolated data backup should be part of every cyber defense system.

Rather than focus on creating signatures for the millions of different malware variants – which is virtually impossible – security solutions should focus on the attack vectors, the paths attackers and malware follow to break into computer and IT systems. Even though there are infinite strains of malware, there are only a handful of vectors, some of which include surfing the Web, phishing emails, Trojan downloads and malicious documents such as portable document formats (PDFs).

Bottom Line

Despite the growing sophistication, infection vectors stay constant. Every breach starts out with the same vectors, and the two largest buckets encompass Web and email. The only difference is what the malware does post-breach. If we are to begin to truly combat malware, we need to start by securing the attack vectors.

Looking For New Ways to Protect Your Business’s Data? Check Out Top Network Detection & Response (NDR) Solutions

NOTE: This article was originally written in April 2016 by Kowsik Guruswamy and updated by Zephin Livingston in December 1, 2022.

The post How You Get Malware: 8 Ways Malware Creeps Onto Your Device appeared first on eSecurity Planet.

When trying to keep your business safe from potential attacks, just as important as any kind of ransomware protection solution is to understand some of the factors and signs a ransomware hacker looks for when picking their next target. These factors can include data value, geographic locations, or a company’s use of remote workers.

What Industries Are the Most Likely Ransomware Targets?

A unifying factor of most of the industries popular with ransomware attackers is their access to incredible amounts of sensitive data that an organization might want or even need to keep private, thus making them more likely to pay the ransom. Here are the most targeted industries.

Banking and Financial Services

The reasons for targeting banking and financial services companies are fairly clear. On top of having access to the capital needed to pay large ransom amounts, they often have access to extremely sensitive client information — and assets.

The world of banking and financial services is especially vulnerable to cyber attacks, and companies in this industry were the most likely to be targeted by ransomware attackers according to cybersecurity firm Trellix’s report for 2021.

Education

Education shares similar vulnerabilities to local government institutions, often lacking the resources necessary to install anti-ransomware strategies. Their access to private information from faculty and students alike also makes them appealing targets.

In recent years, education has become a popular target for ransomware attackers. 2022 research conducted by antimalware vendor Emsisoft revealed that 88 ransomware incidents were reported by institutions in the US in 2021. This led to the disruption of day-to-day operations for over 1,000 schools across the nation. In half of these incidents, personal data from both teachers and students was leaked online.

The total financial impact of these attacks can’t be known with any certainty, but, like any other industry hit by ransomware, the costs are likely severe. A Sophos report on the state of ransomware in education found that lower education institutions spent $1.58 million on ransomware in 2021. Higher education institutions spent $1.42 million.

Want to Find Out More About How to Backup Your Data in the Event of a Ransomware Attack? Take a Look at Best Backup Solutions for Ransomware Protection

Energy and Utilities

Utilities are a popular target both for attackers looking to cause damage to infrastructure and for cybercriminals looking to get paid. In a 2022 report, cybersecurity firm CyberSaint reported that 43% of energy, oil, and utilities companies hit by ransomware ended up paying the ransom.

Because they provide such critical infrastructure, energy, and utility firms are more pressured than other ransomware targets to resolve the matter as quickly as possible, which sometimes means paying the ransom, Colonial Pipeline being the most notable example in recent memory.

Government

Much like utilities, government organizations are a popular target for attackers looking to cause damage to the day-to-day infrastructure needed to keep society running. Government entities also often have some of the most sensitive data ransomware users can get their hands on.

Additionally, government organizations on the local level, such as city or county administrations, often lack the time and resources necessary to implement robust cybersecurity measures and tend to use outdated technology. In some cases, this can lead to them being especially easy targets for ransomware and result in the theft of incredibly personal data, such as land deeds and social security numbers, with less effort on the attackers’ part.

Manufacturing

Of popular ransomware targets, manufacturing companies are also the most likely to have their stolen data leaked online, with cyber criminals posting the data of 45 manufacturing companies in 2020 alone, according to Palo Alto Networks’ Unit 42. IBM reported that it resolved more cyber attacks for the manufacturing industry in 2021 than any other.

There is some good news for industrial companies, however. A 2021 survey of the industry by Sophos found that 36% of respondents were hit by ransomware attacks, and nearly half of those had their data encrypted. However, that same survey also found that only 19% of companies affected paid the ransom. This can potentially be chalked up to the fact that companies in the manufacturing industry are more prepared than other industries to restore data from backups, as decrypting stolen files rarely works.

Need to Know More About Ransomware Attackers and How They Operate? Read The Link Between Ransomware and Cryptocurrency

Key Signs and Vulnerabilities Ransomware Attackers Look For

Like any planned assault, ransomware attackers have certain vulnerabilities and factors they watch for when evaluating targets. Companies with the funds and resources to pay large sums, companies with access to sensitive data, and companies without the security infrastructure to resist a ransomware attack are favorite prey for a hacker. Understanding the key signs and vulnerabilities ransomware attackers look for is a vital part of protecting yourself against future attacks.

Valuable Data

The most important factor to ransomware attackers is the value of an organization’s data. If threat actors can steal or encrypt highly sensitive information, their victims may be more willing to pay a higher ransom. Even if they don’t receive a ransom, more sensitive data will fetch a higher price from Dark Web buyers.

You can see this preference in the types of organizations ransomware attacks have targeted recently. Professional services, financial services, and manufacturing were the most popular targets for ransomware in 2021, with energy, retail, and healthcare not far behind, according to IBM. These industries all deal with sensitive data, like financial information or personal identifiers, making them ideal targets.

Lack of Security Infrastructure

Unsurprisingly, ransomware attackers also prefer targets that lack sufficient cybersecurity measures. Small and medium-sized businesses account for half or more of ransomware attacks. These companies are less likely to have as extensive security as larger corporations, making them easier targets. There are also more businesses of that size than large corporations.

This trend may grow as ransomware-as-a-service (RaaS) expands its popularity. A growing number of ransomware groups have started franchising their tools, letting virtually anyone perform ransomware attacks for a fee. Growing RaaS use means more novice cybercriminals could engage in these attacks, and these newer attackers will likely prefer easier targets.

Companies in industries that are new to cybersecurity, like manufacturing or logistics, may fall victim to this trend. Ransomware attackers may prefer these organizations, as they’re less likely to have sufficient infrastructure to stop them.

A 2021 Twitter thread looked at the most common vulnerabilities exploited by ransomware groups – and found that vulnerabilities in 18 products were the most targeted (image below). As many of these are well-known vulnerabilities, the issue of patching remains a major concern.

Money for a Ransom

Cybercriminals also typically look for targets that can pay a larger ransom. That’s why the entertainment industry, which frequently deals in multi-million-dollar projects, experienced the second-highest number of cyberattacks in 2019, according to Verizon’s 2019 Data Breach and Investigation Report. A successful ransomware attack on wealthier companies may result in a more substantial payday for the attackers, drawing their attention.

At first, this figure may seem to counter the trend of attackers targeting small and medium businesses. However, even a medium-sized business can offer a significant amount of money to an individual or small group. It’s also important to note that while SMBs are the most common targets, that doesn’t necessarily mean new businesses are.

If your business brings in at least a few million dollars in annual revenue, you could be a target. Generally speaking, the more profitable your business is, the more enticing a target you are.

Need Some Good News About Ransomware? Learn About How One Company Survived a Ransomware Attack Without Paying the Ransom

Potential for Damage

Financial motivations are not the only driving force behind ransomware attacks. Some cybercriminals seek to cause as much destruction as possible, especially in state-sponsored cyberattacks. Whether it’s to make a statement or for a feeling of power, some ransomware attackers look for targets with the highest potential for damage.

Software supply chain companies are some of the most at-risk organizations. Take the SolarWinds attack, for example, which affected scores of customers by targeting a single system, or the Kaseya attack, which put thousands of the company’s clients at risk. If you have information belonging to multiple clients or connect to many other businesses’ software, you may be an ideal target.

Software-as-a-service (SaaS) vendors are thus in some ways ideal targets. If you offer IT services to multiple other companies, a ransomware attack on your business could cause widespread damage. That potential could attract attackers.

And critical infrastructure will remain an enticing attack for those seeking to do damage. Colonial Pipeline showed just how effective such attacks can be.

Remote Workers

Amid the COVID-19 pandemic, many businesses embraced remote work. Data shows that these same companies may be at increased risk of a ransomware attack. The software you use to collaborate with remote employees may have vulnerabilities that ransomware attackers seek to take advantage of. And remote employees tend to be less protected by ransomware essentials such as immutable data backups.

Remote desktop protocol (RDP), which remote workers may use more heavily than others, is a favorite of ransomware groups. Cybercriminals leveraged RDP vulnerabilities in 47% of all ransomware attacks in one study, more than any other category.

Virtual private networks (VPNs) are another common target. While these tools can protect you by encrypting your internet traffic, unpatched vulnerabilities or outdated versions can turn them into entry points for cybercriminals. If your business uses these or similar remote collaboration tools, you could be at risk.

Zero trust is one way to secure home-based and remote workers. And enterprise firewall vendors Fortinet and Palo Alto Networks unveiled secure routers aimed at home and small office workers in 2021.

Ransomware Isn’t the Only Type of Malware You Need to Watch Out For. Read What is Malware? Definition, Purpose & Common Protections

Geographic Locations

Interestingly, recent research shows that ransomware attacks are often concentrated in specific geographic areas. In active Dark Web ransomware threads in July 2021, KELA researchers found that more than 40% of threat actors mentioned the U.S. as their desired location of victims. Canada and Australia followed, both around 37%.

This geographic concentration is likely due to the concentration of wealthier or more prominent companies. Political motivations could also play a role. Specific locations like states or cities may follow similar lines, with the largest and wealthiest areas seeing more attacks.

If your company is based in these areas, you may be at higher risk of ransomware than others. This factor is likely less influential than data value and security infrastructure, but it’s worth noting regardless.

How to Prevent Ransomware

Cybercriminals don’t act randomly. Ransomware attacks follow specific motivations, and when you understand these drivers, you can know what level of risk you face.

Regardless of how at-risk you are, protecting against ransomware is critical. However, if you fall into any of these categories, you may want to consider more extensive anti-ransomware measures.

• Data Backups: One of the best protections against ransomware is maintaining immutable backups of your data whenever possible. Decryption isn’t as consistent as it needs to be, but if you have any way to recover and restore your stolen data, you’ve removed a lot of the power ransomware attackers can have over you. However, this isn’t foolproof, as attackers might know of those backups and seek to damage them as well. Also, depending on how long it takes to deploy those backups, it might not be a feasible solution to the havoc ransomware can wreak on an organization’s day-to-day operations.
• Stop Suspicious Network Traffic: Security solutions like Intrusion Detection and Prevention (IDPS) or next-generation firewalls (NGFW) can help block potentially-malicious traffic from your network. Email gateways also have the chance of removing one of the most common vectors of ransomware infection: phishing, spoofing, and the like. EDR and SIEM systems are also core security defenses.
• Think Creatively: Deception technology could give you an early warning of ransomware or another cyberattack. Encrypting data — even in use — can take away the threat of having sensitive data leaked to the public.
• Stay Alert: Ultimately, however, these tools are only as effective as the individuals using them. As such, personal vigilance remains a key factor in preventing any malware attack. Whether it’s not opening suspicious email attachments or keeping your passwords secure, your good cybersecurity hygiene will be an effective deterrent against ransomware. This is why one of the simplest defenses against ransomware is to administer solid employee awareness training.

Need help protecting your organization from ransomware? Rapid7 offers managed detection and response (MDR) and extended detection and response (XDR) to help keep your endpoints free from ransomware. Chat with an MDR expert today.

Bottom Line

Ransomware is one of the most potent threats facing businesses today. Fortunately, knowing what ransomware hackers look for when picking their targets can help companies better prepare for an attack.

Factors such as geographic location, access to sensitive data, or lacking security infrastructure can all increase the likelihood of ransomware attacks, as well as an organization’s presence in certain industries like banking, healthcare, or manufacturing.

While there are ways to defend yourself against ransomware, none of them are foolproof, and even solid defenses are under constant threat of circumvention by enterprising hackers. Still, keeping in mind what ransomware attackers might be looking for in their targets can help you stay one step ahead of ransomware and keep your and your customers’ data safe.

Looking to Learn More About How to Defend Yourself from Ransomware? Check Out Ransomware Prevention: How to Protect Against Ransomware

NOTE: This article was originally written by Devin Partida on September 22, 2021. It was updated by Zephin Livingston on December 1, 2022.

The post Main Targets of Ransomware Attacks & What They Look For appeared first on eSecurity Planet.

Malware has been present in the digital space since the 1980s, with early prank malware like the Morris Worm or the (c)Brain. However, malware is not quite as amusing in a modern context. From ransomware attacks locking businesses out of their data until they pay potentially millions of dollars to spyware tracking users’ every move through their infected device, the effects of malware can be devastating.

Today, malware is a common network threat to the devices and data of anyone who uses the Internet. Since 2008, antivirus and cybersecurity software testers AV-TEST have kept track of the number of newly-developed malware worldwide, totaling at nearly 1 billion as of September 2022. An August 2022 Statista report counted 2.8 billion malware attacks worldwide in the first half of 2022 alone.

With so many attacks and unique types of malware out there, it’s important to have some idea of how malware works, how it can infect your devices, and what to do if you find yourself infected with it.

If you’ve been hit by malware and are looking for help, see How to Remove Malware: Removal Steps for Windows & Mac.

How Does Malware Work?

Malware’s functions vary wildly depending on what type of malware you’re dealing with. Broadly, malware will somehow be injected into a device or network and, if it can gain access to the files or systems it needs to, it will begin its work.

For example, once it infects your device, a keylogger will start tracking every keystroke you make and sending a log of those keystrokes to the hacker, allowing them to reconstruct any sensitive information you might have entered after infection, such as your PIN, password, or social security number.

To better understand how malware works, however, let’s look at some common types of malware and see how they function and what parts of a device or network they usually affect. After that, we’ll offer some techniques and tips to help you prevent malware infection but also what to do if you end up infected.

Want to Learn More About Malware? Check Out The History of Computer Viruses & Malware

Common Types of Malware

Adware

Easily one of the most frustrating types of malware, adware is software designed to harass users with a torrent of unwanted or malicious ads. Adware is often smuggled onto a device, either by users who don’t know what they’re downloading or by hiding it in an otherwise innocuous piece of software like a search engine toolbar plugin for your browser.

This isn’t quite the same as a legitimate piece of software, such as a mobile game from a reputable developer, coming packed with online ads. Usually, those ads will be screened by the developer or whoever published the software online and don’t do anything unusual beyond wasting your time. Adware advertisements might appear in places where ads typically don’t show up; might be completely unrelated to the software or website you’re using, including the depiction of explicit material; and might even begin performing a number of unwanted tasks on your device.

These unwanted tasks can include:

• opening new tabs on your browser without you clicking on anything
• website links redirecting to completely different websites from what you expect
• fully crashing your browser.

Some signs of adware infection include:

• Your browser is noticeably slower than usual
• NSFW ads on otherwise SFW websites
• New toolbars, plugins, or extensions appearing on your web browser without you installing them
• Your browser’s homepage changing without your permission

Ransomware

One of the most dangerous kinds of malware for businesses, ransomware can slip into a network or device and encrypt sensitive files or lock down the entire device unless the victims pay the hacker a usually-sizable fee to unlock it – and even then, decryption fails most of the time. Modern ransomware hackers often double or triple up on the extortion by demanding additional fees to ensure that sensitive files are not leaked to the public.

Ransomware is one of the most virulent forms of malware on the modern Internet. A report from IBM claims that 21% of all cyber attacks the company remediated in 2021 were ransomware, making it the most common type of attack in the report. The method of infection can vary from attack to attack and can include social engineering strategies, such as phishing and email spoofing, or a fraudulent website masquerading as legitimate, among others.

Once a system is infected, ransomware attacks usually come in 3 stages:

• Surveillance: The hackers scan their target for more information on the system they are attacking. In particular, they’ll look for sensitive files which can be used for potential double-extortion attempts or additional access credentials with which to spread the ransomware across more devices.
• Activation: The ransomware begins encrypting sensitive files or locking down the system. In the former case, an attacker will utilize a process called asymmetric encryption to lock down these files, encrypting with a public key but keeping a private key for decryption. This means the files can’t be restored without the attacker’s help. To apply more pressure, the attacker might also encrypt backup files to render them inaccessible. In the latter case, the ransomware will freeze the device’s screen or apply so many pop-ups to the device that it’s rendered unusable.
• The Ransom Note: The ransomware notifies its victims of the infection via a .txt file on the infected device or a pop-up. This note will provide instructions on how to pay the ransom, usually through difficult-to-trace means like cryptocurrency.

If You Need to Learn More About How to Keep Your Data Safe, Take a Look at Ransomware Prevention: How to Protect Against Ransomware

Rootkits

Rootkits are essentially software toolboxes which allow hackers to infiltrate a device’s systems and gain remote control of it. This makes them incredibly difficult to detect and remove, though there are tools like rootkit scanners which can help.

Typically, attackers will use rootkits to spy on users and launch cyber assaults, such as a distributed denial of service (DDoS) attack, but the aforementioned software toolbox contains a variety of malicious implements. This can include programs with which the hacker can disable security software, install keyloggers, or steal sensitive information like passwords or credit card details.

There are a few viable ways to install a rootkit, but they will typically target some weakness in either an application installed on the target device or the target device’s operating system (OS). There are also several different types of rootkits to be aware of:

• Application Rootkits: Application rootkits replace a device’s files, altering common applications like Notepad. Whenever a user uses the infected file, it gives the attacker access to their computer.
• Bootkits: This type of rootkit targets a computer’s bootloader, the software responsible for loading the computer’s OS into RAM upon startup. Bootloaders are usually launched by a disc, USB drive, or hard drive, which tells the computer where its bootloader program is. Bootkits replace the legitimate bootloader with an infected version. This type of rootkit is especially difficult to detect and drive out, since it won’t typically show up in a user’s file system. Additionally, removal might further damage the computer if the bootkit has altered the device’s boot records.
• Firmware Rootkits: Firmware rootkits are usually used to infect a device’s hard drive or basic input/output system (BIOS), but they can be used to infect routers or intercept data written on hard discs as well. Firmware rootkits are also known as “hardware rootkits.”
• Kernel Mode Rootkits: One of the most complicated forms of rootkit, kernel mode rootkits target the core components of a device’s operating system, called a kernel. They often evade detection by operating at the same security level as the operating system itself, making them capable of especially devastating cyber attacks. However, kernel mode rootkits also require a high degree of technical competency, as any bugs or glitches within the rootkit can leave an easy trail for antivirus software to sniff out.
• Memory Rootkits: The final type of rootkit we’re covering will camouflage itself within a computer’s random-access memory (RAM). While there, they can inflict significant damage while also severely hampering a device’s performance by consuming massive amounts of RAM resources with whatever programs they have running. Memory rootkits are also often the shortest-lived type of rootkit, with most being erased when a computer reboots.

Need More Intel on Rootkits? Check Out Top 6 Rootkit Threats and How to Protect Yourself

Spyware

As the name implies, spyware hides on your devices in order to monitor and transmit your data to the hacker or hackers who deployed it. This information can range from what websites you visit to your download history to your bank PIN. This software can function similarly to Facebook or Google’s targeted ad technology which can track which websites you visit and provide ads based on that history, such as getting ads for cribs after looking up baby names.

There are innumerable methods of infiltration for spyware, from social engineering tactics to malicious software concealed in software bundles to exploiting security vulnerabilities in your device’s hardware or software. It’s one of the most infectious forms of malware out there.

Types of spyware are often classified based on what information they’re gathering. Keyloggers track your device’s keystrokes, password stealers’ function is in the name, and infostealers attempt to snatch a variety of sensitive information from its victims.

Trojans

Named for the Trojan Horse from Homer’s Odyssey and Virgil’s Aeneid, trojans function similarly to their mythological namesake by convincing users to install it on their device via social engineering schemes. This can come in the form of downloading free programs such as a game or a screensaver, visiting questionable video-hosting websites, or opening an attachment infected with the trojan.

Since its name more describes how it gets into a system than what it does there, trojans cover a broad range of malware:

• Spyware can often be injected into a device as a trojan.
• Once downloaded, a computer worm can automatically spread itself across connected devices, such as via the Internet or via local area network (LAN) to devastating effect.
• Remote access trojans (RATs) can provide hackers with backdoors into the infected device and allows hackers to control target computers via a remote network connection.
• Downloader Trojans can be used to download other forms of malware onto a device.

8 Common Signs of Malware Infection

While malware comes in a variety of different shapes and sizes, there are some factors which many of the various types can all share. The infographic below isn’t a comprehensive list, and even if your computer hasn’t shown any of these signs, there’s still a chance malware has infiltrated your machine.

Need to Know More About How Malware Can Infect Your Device? Take a Look at 8 Ways Malware Creeps Onto Your Device

Ways to Protect Your Network Against Malware

Thankfully, as scary as malware can be, individuals and businesses have ways to protect themselves against malware.

Both businesses and users alike can benefit from having good antivirus software onhand to detect and remove potential threats. Though, as digital rights group Electronic Frontier Foundation notes, “antivirus software is usually ineffective against targeted attacks.” While it’s still good to have antivirus software to deal with untargeted attacks (such as the links on a malicious website), ransomware and similarly-focused assaults will need additional protections.

An important piece of advice is to maintain a robust series of backups for all your important files and data, usually multiple backups using several different storage methods if possible. An offline storage solution, such as a hard drive or USB drive, is especially helpful, though not necessarily feasible if your business handles enough data to require, say, its own cloud storage solution. Still, maintaining and regularly updating your backups will help blunt a lot of the damage malware typically inflicts on its victims. And immutable backups are a particularly important ransomware protection.

Businesses can implement strategies like a zero-trust framework to help keep themselves safe, as well as adopt more sophisticated security solutions than individual users typically have access to. Examples include Intrusion Detection and Prevention (IDPS) tools to block potentially-malicious network traffic, network access control (NAC) to help maintain network safety with more and more employees working remote, and increasingly-vital next-generation firewalls (NGFW) for defending your data and applications from attack.

Finally, one of the simplest yet most effective tools for keeping yourself and your network safe against malware is personal vigilance. Avoid opening email attachments from accounts you don’t recognize, stay away from shady websites, make sure your passwords are secure and difficult to crack, and don’t download anything from sources you don’t absolutely trust. Indeed, malware can often be avoided by simply not clicking on infected links or files, making employee security awareness training one of the most critical defenses of all.

How to Identify and Remove Existing Malware

If you know your device or network is plagued with malware, there are a few steps you can take to get rid of it before it can do more damage.

• Disconnect from the Internet: Disconnecting can help prevent the malware from sending your data to the hacker who deployed it or from spreading to other devices on the network. If you must download a tool or software to begin removing the malware, disconnect as soon as it has finished downloading. Only reconnect once you’re sure the issue has been dealt with.
• Antivirus Scanning: A good antivirus or malware-scanning software will usually have programs in place to remove detected instances of malware, but that can’t always be relied upon to fix the problem.
• Reboot: If your software solution proves ineffective, the next step is usually restarting or rebooting your machine. It can be good to boot in Safe Mode. Some types of malware, such as memory rootkits, will disappear once your system reboots. How an OS enters safe mode differs between each system, but instructions can usually be found online, such as Microsoft’s instructions for Windows 10.
• System Recovery: If a restart fails to solve the problem, a full system recovery or reinstallation might be necessary to fully rid yourself of malware’s grip on your device. However, this can usually result in significant data loss, which is why maintaining backups for important data is so critical.

Bottom Line

Ultimately, no foolproof solution has yet been found for preventing cyber attacks, beyond disconnecting from the Internet and living up in the mountains away from civilization, but knowing more about malware, how it works, and how to get rid of it can be a big help in keeping your device and data safe.

Want to Learn More About Keeping Your Network Safe from Malware? Check Out How to Prevent Different Types of Malware

The post What is Malware? Definition, Purpose & Common Protections appeared first on eSecurity Planet.

Though often conflated with one another, malware and computer viruses aren’t necessarily the same thing. While all computer viruses are malware, not all malware are computer viruses. The key difference between computer viruses and other types of malware is that computer viruses function, as the name implies, similar to the way biological viruses function. They begin by attaching themselves to programs or files on a computer then spreading to other computers when those infected programs or files are accessed. Computer viruses can also self-replicate to attach themselves to even more programs and files. This isn’t necessarily true of other types of malware. Ransomware, for example, usually doesn’t self-replicate.

It’s important to learn as much as you can about computer viruses and malware, now more than ever. According to a recent Statista report, there have been 2.8 billion malware attacks worldwide in just the first half of 2022. A 2020 study of pentesting projects from Positive Technologies revealed that external attackers could breach 93% of company networks, with 71% being vulnerable even to novice-level hackers.

Even as we focus on current cybersecurity threats and protections, it can be just as important to take a look at the history of these malicious pieces of software and how their beginnings inform the way they’re used and circulated today. The history of computer viruses and malware goes almost as far back as the history of the field of computer science itself.

Looking to Protect Yourself Against Malware? Read Top Endpoint Detection & Response (EDR) Solutions in 2022

From Theory to Reality: 1948-1971

Though they had yet to be named, computer viruses were first conceptualized by Hungarian mathematician John von Neumann, who designed a self-replicating computer program that some consider to be the precursor to computer viruses, even if it was never developed or deployed in the way computer viruses eventually would be. Though this work began in the 1940s, it, along with his other work in the field of self-replication, was eventually compiled and distributed via the 1966 paper “Theory of Self-Reproducing Automata.”

Though von Neumann’s self-replicating program was more or less a thought experiment, computer programmer Bob Thomas developed the Creeper program in 1971, which is often cited as the first computer virus. Named after a character from “Scooby-Doo,” the Creeper was originally intended as a security test for the U.S. Department of Defense’s Advanced Research Projects Agency Network (ARPANET), the precursor of the modern Internet we know, love, and sometimes hate.

As a security test, the Creeper’s effects on infected machines were minimal. It would simply display a message on the computer’s screen: “I’M THE CREEPER. CATCH ME IF YOU CAN!” A polite little virus, the Creeper would also try to remove itself from its host whenever it would infect a new hard drive.

Though polite, the Creeper was still an annoyance to some, and in 1971, Ray Tomlinson developed the first antivirus software, called Reaper. The Reaper would glide across ARPANET, scanning for and removing any instances of the Creeper it found there.

Viruses Get Their Name: 1974-1986

While the Creeper was a relatively benign program, 1974’s Rabbit Virus was one of the first computer viruses developed with malicious intent. Named for how fast it could duplicate itself, the Rabbit Virus would flood infected computers with these copies, slowing down and even crashing machines with relative ease.

1975 saw the creation of a precursor to modern trojan malware. The ANIMAL program, wherein the computer would attempt to guess what animal a human is thinking of via a game similar to Twenty Questions, was popular amongst computer users at the time. John Walker’s version of the program contained a hidden program, called PERVADE, which would search computer directories, find directories without copies of ANIMAL, and distribute copies of ANIMAL into those directories. Like the Creeper, however, this program was relatively benign and took steps to not delete important system files while copying itself everywhere.

University of Southern California graduate student Fred Cohen designed an unnamed piece of malware which could take over a computer’s system operations. He also was the person who first defined the term “computer virus.” Cohen went on to become a pioneer of computer virus defense techniques.

Cohen also believed in the idea of “positive viruses,” beneficial programs which could spread like a computer virus. Cohen designed the compression virus, a virus designed to not damage or delete infected files but instead make them smaller.

In 1986, the first PC computer virus, Brain, was released into the wild. Spread via infected floppy disks, Brain would replace the boot sector of the floppy disk with a copy of the virus. Created by the brothers Amjad Farooq Alvi and Basit Farooq Alvi, the virus was meant to track pirated copies of certain disks. When booted up, it would display a message that varied from copy to copy but usually began with the phrase “Welcome to the Dungeon,” a reference to an early programming forum. The brothers’ names, addresses, and phone numbers were also listed with request that the victim contact them for virus removal. Like many early computer viruses, the Brain was relatively benign and wasn’t designed to be much more than a nuisance.

Want to Learn More About Malware? Check Out 8 Ways Malware Creeps Onto Your Device

Worms and the Dawn of the Internet Age: 1987-2000

As the Internet began entering public use, the first computer viruses that could be spread via the Internet followed soon after. One of the most popular early instances of computer viruses is the Morris Worm. Launched on November 2, 1988 and named for its creator, Robert Morris, the Morris Worm was also not intentionally designed to damage infected machines. Instead, it was meant to point out weaknesses present in networks of the time.

However, a coding error resulted in the worm replicating itself regardless of a computer’s infection status, leading to computers being infected with multiple copies of the worm and eventually resulting in the infected machine crashing. Robert Morris ended up becoming the first person convicted of a felony in the U.S. under the 1986 Computer Fraud and Abuse Act.

As malicious viruses became more the norm, countermeasures were being developed to mitigate the damage these viruses caused. One of the first pieces of antivirus software, McAfee’s VirusScan, was released in 1987. It would soon be followed by other antivirus pioneers, such as ESET’s NOD program, G Data’s Anti-Virus Kit, H+BEDV’s Antivir, and Avast Antivirus.

1992’s Michelangelo virus was one of the first computer viruses to garner mainstream attention, as some vendors inadvertently sold hardware and software infected with the virus.

As the Internet grew in popularity, new vectors of infection began popping up. From chain emails to suspicious websites, modern malware techniques began developing as the world approached the 21st century.

Macro viruses — viruses which could infect documents created via programs like Microsoft Word — rose in popularity in the mid-to-late 1990s. One of the most prominent was 1999’s Melissa. Spread via email, the virus would use the subject line “Important Message From [infected user].” Upon opening the email, victims would see the message “Here’s that document you asked for. Don’t show anyone else ;)” along with a Word file titled “list.doc.” The document contained a list of pornographic sites, along with passwords for access to said sites and would then spread itself and its NSFW content by emailing the first 50 people in the victim’s contact list.

Social engineering attacks soon found use in the digital space. One of the first instances was the Love Letter virus of 2000. Though it followed similar patterns to macro viruses like Melissa, Love Letter utilized an infected Visual Basic Script (VBS) file, not a Word file. With a subject line reading “I Love You,” Love Letter would entice victims to click on its VBS file, releasing the virus onto their computer. Once inside a computer, Love Letter would replace and overwrite existing files on the machine with copies of itself.

Read More: Top Secure Email Gateway Solutions for 2022

Going Mobile and Going Global: 2001-2010

As the Internet and computers became integral to society’s day-to-day existence, computer viruses and malware exploded in both popularity and potential disruptiveness.

In July 2001, the Code Red Worm attempted to subject the entire Internet to a distributed denial of service (DDoS) attack. Named for the flavor of Mountain Dew its discoverers were drinking at the time, Code Red would disfigure infected websites with text reading “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!”

Due to the virus’s name and the above text, many at the time believed the source of the malware to come from China. However, despite claims from U.S. officials at the time that the virus had been traced to China, no evidence has come to light linking Code Red to the nation. In fact, China itself would fall prey to the second iteration of Code Red in August 2001.

At its peak, Code Red had infected over 359,000 computers, according to analysis from the Center for Applied Internet Data Analysis (CAIDA). Eventually, the infected computers were all directed to attempt a DDoS specifically on whitehouse.gov, though the White House managed to sidestep the assault.

In 2003, one of the first pieces of malware designed to make money was discovered. Fizzer was a worm spread via email attachments that, once it found its way onto a machine could perform a number of malicious tasks. It could install a keylogging program, allowing the hacker to gain access to sensitive information like bank account details, passwords, and physical addresses as long as the victim typed that information into their computer at any point. It also would actively shut down antivirus processes to evade detection and removal. Finally, it could even act as a backdoor through which hackers could gain remote access to the infected machine’s resources.

2004 saw the first worm designed to infect cell phones in Cabir. Once it infects a phone, text reading “Caribe” would be displayed whenever the phone was turned on or used. It would then attempt to spread via wireless Bluetooth signals. Phones looking to evade infection by Cabir could do so by turning Bluetooth off or going into invisible mode.

Stuxnet, discovered in 2010, was the first documented attempt by sovereign nations to use malware to attack other sovereign nations. Stuxnet was designed to disrupt Iran’s nuclear facilities, in an apparent attempt to slow the country’s progress on developing an atomic bomb. This attack successfully delayed Iran’s efforts, managing to destroy 1,000 of the 6,000 centrifuges the nation was using to enrich uranium, but it neither stopped nor slowed Iran’s build-up of low-enriched uranium.

Though both governments have formally denied responsibility for the attack, Stuxnet is today commonly known to be the work of a joint effort between Israel and the United States, as reported by both “The New York Times” and “The Washington Post,” among others.

Looking to Learn More About How to Defend Yourself Against Malware? Read How to Prevent Different Types of Malware

The Rise of Ransomware: 2011-2022

The 2010s and early 2020s have been marked by an increased prevalence in ransomware attacks. Though around for decades, with the first documented instance being 1989’s AIDS  Trojan, ransomware has really blossomed on the modern Internet. The advent of untraceable digital payment methods like cryptocurrency was a boon to hackers looking to extort as much money as they could from their targets without being caught.

The CryptoLocker Trojan, launched in 2013, was one of the first major instances of ransomware being used on a large scale, hitting about 250,000 victims and extorting around $27 million in Bitcoin.

Though CryptoLocker was eventually isolated and neutralized by cybersecurity experts, it served as an effective proof-of-concept for ransomware as a business model. Copycat ransomware like TorrentLocker and CryptoWall starting springing up. CryptoWall in particular was enough of a menace for the FBI’s Internet Crime Complaint Center (IC3) to issue an alert warning citizens about the malware.

2015 saw a ransomware group known as Armada Collective hit three Greek banks with DDoS attacks, demanding a ransom paid in Bitcoin from the banks to cease fire. The group also claimed responsibility for a DDoS attack on Swiss email provider ProtonMail. However, DDoS attacks on ProtonMail continued even after the ransom was paid. Armada Collective were not so lucky with the Greek banks, who bolstered their cybersecurity measures and managed to continue operating without much disruption.

In March 2016, the Petya family of ransomware was first discovered. Unlike its predecessors, who would only encrypt files, Petya would replace the computer’s master boot record with a ransom note, effectively rendering the computer unusable until a ransom was paid. It later evolved to also include file encryption. 2017 saw a pirated version of Petya, called “NotPetya,” hit multiple European countries in a major cyber attack, most notably Ukraine and Germany.

Petya was initially developed by a group called Janus Cybercrime Solutions as part of its ransomware-as-a-service (RaaS) platform. Essentially, cyber criminals could pay Janus to use Petya on their targets, with Janus providing a number of additional services to ensure the attack was a success. In exchange, Janus took a cut of the paid ransom. RaaS quickly became a major force in the world of cybercrime thanks to both Petya and other major ransomware like LeakerLocker and WannaCry.

WannaCry is especially notable for both its 2017 attack on users worldwide and its method of propagation. The attack was massive, hitting over 230,000 computers in more than 150 countries in the first day. NHS hospitals in the United Kingdom were among the largest organizations hit by WannaCry. The UK branch of automobile company Nissan was another notable victim.

The way it spread was not through more traditional ransomware vectors like email phishing but instead through EternalBlue, a Windows exploit initially developed by the U.S. National Security Agency (NSA) and subsequently stolen and leaked by hacker group The Shadow Brokers.

GandCrab burst onto the scene in 2018. Though not impressive alone, GandCrab was soon integrated with an info-stealing Trojan named “Vidar,” after the Scandinavian god of vengeance. Thanks to Vidar, GandCrab provided a potent combination of both stealing and locking down victims’ files and rapidly became the most-used RaaS on the market in 2018 and 2019.

A partner of GandCrab, known as “Team Snatch,” helped popularize the practice of publicly leaking victim data to further pressure targets to pay the ransom. This was likely an effort to better extort companies who might sufficiently back up their data to the point where deletion isn’t much of a threat.

One of the first major public ransomware data leaks occurred in November 2019 when ransomware group Maze leaked 700mb of stolen data from American security and janitorial services provider Allied Universal.

Public leaks like Allied Universal’s and major attacks like 2021’s Colonial Pipeline Attack have led to ransomware’s increased prominence and visibility in the public eye. The Colonial Pipeline Attack is also notable for potentially being one of the first known instances of an infection vector coming from a compromised employee password found on the dark web and not an external attack on a company’s systems.

Today, ransomware continues to plague businesses and individuals at all levels of society, provided that level includes regular Internet access. IC3’s 2021 Internet Crime Report found that ransomware inflicted more than $49.2 million in losses in the United States alone, and that’s just the instances of ransomware attacks that were reported to the FBI.

The FBI isn’t the only one with worrying statistics on ransomware. IBM’s 2022 Security X-Force Threat Intelligence Index found that ransomware was the most common type of malware attack the company remediated in 2021, comprising 21% of the total. Around 37% of those attacks could be traced to a specific strain of ransomware known as both “REvil” and “Sodinokibi.”

Second place in IBM’s index belonged to a ransomware strain called “Ryuk,” which made up nearly 20% of attacks by itself. The name “Ryuk” could come from either a romanization of the number 6 in Korean, a romanization of a North Korean surname, a village in Azerbaijan, or a character from popular Japanese media franchise “Death Note.”

Ryuk and REvil are especially notable for how long they have stayed in operation, having first appeared in April 2019 and August 2018, respectively. IBM’s report notes that ransomware operations usually have a lifespan of about 17 months. REvil shut down in October 2021 after 31 months. In January 2022, Russia’s Federal Security Service announced that the group behind REvil had “ceased to exist” and that its information infrastructure had been “neutralised.”

Read More: Best Cybersecurity Awareness Training for Employees in 2022

The Impact of Computer Viruses and Malware on Cybersecurity

The cybersecurity field as it is probably would not exist without the threat of computer viruses and malware. There would still be a need for cybersecurity, of course. Data leaks, compromised access credentials, theft, and damage to hardware and software are all threats that would still exist if malware weren’t an issue.

However, the spectacle of and fear generated by major malware attacks like the Code Red Worm or the Colonial Pipeline Attack have undoubtedly helped to propel cybersecurity into becoming the over $150 billion industry it was valued as in 2021. The vast array of frameworks, tools, and solutions like zero-trust, SIEM, and IDPS would likely not exist in the forms they do now, with the price tags they do now, without the relevant threat of hackers and malware.

The ongoing development of cybersecurity technology by both businesses and governments alike is maintained with a healthy dose of fear toward the ongoing development of malware technology by both criminal groups and governments alike. As the Internet itself has helped shape our modern world, the evolving threat of computer viruses and malware have helped shape modern cybersecurity.

Computer Viruses Are Dangerous, But You Can Fight Back. Take a Look at the 4 Best Antivirus Software of 2022

The post The History of Computer Viruses & Malware appeared first on eSecurity Planet.

From facial recognition to surveillance cameras to time trackers to just having a couple guys standing over employees’ shoulders, there are a multitude of ways to make sure employees are staying on-task and being productive. With the massive shift toward remote and hybrid workplaces in the wake of the COVID-19 pandemic, employee monitoring software became bigger than ever. According to a study conducted by StandOut CV, 1 in 5 companies are using some sort of employee monitoring tool.

However, some techniques are more questionable, expensive, or impractical than others, and it can be difficult to figure out which is which in isolation. Below, we’ll cover the good, the bad, and the just plain creepy of employee monitoring — along with consequences, both intended and unintended — to help you find the best way to make sure your employees are on-task.

What is Employee Monitoring and Why Use It?

Employee monitoring’s definition is in the name: it’s the surveillance of your workers using a variety of techniques and tools. These can come in a variety of forms we’ll discuss in more detail below, but the most common in a modern office setting is software monitoring, where a piece of software is installed onto employees’ computers, which can then track things such as web activity.

There are a number of reasons to implement employee monitoring in an organization. The most obvious is performance tracking. If you’re worried your employees aren’t doing their jobs correctly, employee monitoring techniques can help relieve those anxieties. There are also security concerns, such as to protect trade secrets or to avoid legal liability in the event of a workplace injury or incident.

Want to Find a DLP Solution That’s Right for You? Check Out Top Data Loss Prevention Solutions

Benefits of Employee Monitoring

The benefits of employee monitoring can vary depending on the needs of the organization. For example, a 2014 article for Forbes laid out the benefits semi-truck companies can have when implementing employee monitoring systems, specifically a potential reduction in the frequency and severity of crashes. It also allowed companies to adapt to a then-recent tightening of hours-of-service (HOS) regulations.

There can also be health benefits of employee monitoring, when extended to out-of-work programs like Castlight Health’s healthcare navigation platform, which analyzes employee’s self-reported behavior, self-assessments, and health-related online searches to help employees make healthier decisions in their day-to-day life. Fitbit and similar technology can be used to track employees’ exercise routines, with some companies even offering rewards like extra days off for good behavior. Healthy employees tend to be sharper and more productive; so the benefits in encouraging healthy activity can be great for a business.

Want to Make Sure Remote Workers Can Access Your Network Securely? Check Out Secure Access for Remote Workers: RDP, VPN & VDI

Does Employee Monitoring Increase Productivity?

The big question for many organizations is whether employee monitoring tools make employees more productive. This is a common selling point of the technology, but is there evidence backing up these claims?

This question has been studied in depth since computers and the monitoring capabilities they provide first entered the workplace in the 1980s. In short, the results are mixed. In a 1986 study published in “Communications of the ACM,” the authors noted, “Some [managers] see positive effects, such as increased productivity, a more accurate assessment of employee performance, and greater organizational control over workers.”

However, they also go on to state, “the introduction of computerized performance monitoring may result in a workplace that is less satisfying to many employees . . . [and] creates a more competitive environment which may decrease the quality of social relationships.”

For a more recent example, Akron-based Afton Manufacturing implemented RFID sensors in the late 2010s and reported saving a minimum of 300 work hours in the first year, providing the company with $6,000 in increased productivity.

However, Susan Schumacher’s 2011 article published in ESSAI titled “What Employees Should Know About Electronic Performance Monitoring” calls the oft-claimed productivity increases into question:

“…studies show that while monitoring may produce some positive short-term results on productivity, the long-term negative effect on the workplace deteriorates the relationships between management and workers and causes unnecessary stress, and emotional and physical health problems for employees.”

Schumacher also noted:

“The majority of the quantitative information written about EPM weighs heavily in favor of businesses: companies protecting themselves from information leaks, non-company related internet usage that reduces employee productivity, increases in a company’s risk of network crippling viruses, and breach[es] that threaten confidential information. In contrast, few reports have quantified the emotional and physical effects on employees or offered suggestions to help relieve or reduce the stress-related symptoms.”

While the article was written in 2011, the lion’s share of information on the topic of employee monitoring still belongs to businesses. Whether it’s companies like Afton Manufacturing praising the number of work hours saved or this 2014 service industry study claiming that monitoring makes employees work harder while also admitting that these systems can have an adverse effect on employees’ ability to make ends meet: “The loss of even small amounts of income can substantially impact the worker’s ability to meet basic living expenses.”

This imbalance in information can make it difficult to quantify how much of a positive effect employee monitoring has on productivity in the long-term, as the information coming from businesses rarely balances the detrimental effect these tools may have on employees’ mental and physical well-being and job satisfaction compared with any short-term gains in productivity they report. Employees’ job satisfaction, it should be noted, is something with well-documented positive effects on their productivity.

Want More Ways to Keep Your Remote Workers Secure? Take a Look at Remote Work Security: Priorities & Projects

Disadvantages of Employee Monitoring

The main disadvantages of employee monitoring involve the effects it has on employees. Employee monitoring in modern workplaces is often compared to the concept of the “panopticon,” a hypothetical prison proposed by 18th century English philosopher Jeremy Bentham. The concept behind Bentham’s “panopticon” is a prison which would allow a single security guard to maintain observation of an entire prison population without prisoners knowing they are being watched.

This comparison, common though it is, remains apt. The sheer number of options employers have at their disposal in the modern employee monitoring space makes it difficult for employees to fully understand when they are being monitored and why.

An example of this is found in the case of Myrna Arias, detailed in a 2018 study on “Evidence-Based Recommendations for Employee Performance Monitoring.” Arias was hired by American money-transferring firm Intermex, which required her to download Xora, a “mobile resource management application… that provides useful on-the-go web services for employees that often engage in client-related communication and travel.”

While the app’s use during work hours provided useful data on employee activity, Xora collected location data from users 24/7. When Arias objected to this constant monitoring of her life and asked for the feature to be turned off outside of work hours, her manager was insistent that the app remain on 24/7 in order to efficiently function. The manager went on to boast that he could use the app’s tracking features to see how fast Arias was driving at any time, which speaks to tracking apps like Xora’s potential for abuse by management and others with access to its data.

After management denied her request to turn off Xora’s tracking capabilities outside of work hours, Arias turned the app off herself, which led to her being fired for noncompliance. The resulting lawsuit between Arias and Intermex resulted in an out of court settlement. While the details of the settlement weren’t disclosed, Arias was seeking $500,000 in damages due to lost wages in the lawsuit.

A large amount of academic literature, both past and present, purports that any benefits of employee monitoring are outweighed by the disadvantages. In a 2000 article published in “Business Ethics Quarterly,” Professor Adam D. Moore states, “While this kind of employee monitoring may yield some benefits, the preponderance of the evidence would suggest otherwise. Some studies have shown that these monitoring systems produce fear, resentment, and elevate stress levels.”

A central problem with employee monitoring and specifically modern employee monitoring software, is its potential for the dehumanization of workers into collections of statistics. As Ivan Manokha put it in his 2020 paper published in “Surveillance & Society”: “…what we are dealing with is the process of the transformation of human workers into things with objective indicators such as productivity levels, physical shape, cognitive characteristics and various aggregates of these measures that compute a comparative worth of each employee with respect to other.”

How to Monitor Employee Productivity Right

In short, it would probably be best if you didn’t monitor your employees too much, but, if you feel you must, there are some steps you can take to do so ethically and to minimize harm. The previously-mentioned study “Evidence-Based Recommendations for Employee Performance Monitoring” provides a number of excellent suggestions in this area:

• Be transparent with your use of employee monitoring: Employee monitoring software can look very similar to spyware, a type of malware used by hackers to track user activity and steal their data. The main difference is that, unlike a hacker, companies have an ethical obligation to secure employees’ consent before implementing this software and, ideally, would not put this software onto employees’ personal devices. Securing informed consent from employees, making them fully aware of the monitoring you will be performing on them, is an absolute must.
• Make sure it’s necessary: Only implement monitoring if it “is crucial to organizational functioning because monitoring typically elicits negative responses regardless of implementation.”
• Development, not punishment: “Use EPM for learning and development rather than deterrence,” the study cautions. Using the software purely as a punitive tool can increase the adverse effects employee monitoring can potentially inflict on employees. Utilizing it instead to provide developmental suggestions and to engineer employee growth can produce the productivity increases you want with less potential for harm.
• Restrict EPM use to work-related behaviors: As the above Myrna Arias-Intermex case details, it’s important that you “restrict EPM to only work-related behaviors.” Avoid using employee monitoring when employees aren’t on-site and not engaging in work-related activity.
• Keep your organization’s structure in mind: This can include the size of your company, the sort of work the company does, and the characteristic duties your employees carry out on a day-to-day basis. Make sure, especially for larger businesses, that the system is clearly communicated and described at all levels of the company, top to bottom. This is not the sort of system you should be implementing on a whim. You will also need to “[c]onsider the characteristics of the job—complex jobs that require more freedom and autonomy for core tasks will need EPM systems that do not block crucial activities.”

Overall, monitoring can be a dangerous game to play with employees because your workers are people with their own thoughts, desires, and lives outside of the workplace. They are not abstract bodies of productivity scores and performance evaluations to be analyzed by artificial intelligence, and if they are capable of doing so, they will leave if they feel they are being mistreated or dehumanized.

Running a business can be as much an emotional effort as it is an analytical one, and it’s ultimately up to you to determine if the potential gains that monitoring techniques may bring are worth the potential harm they can inflict on your employees’ well-being and morale.

Read Next: Businesses Secretly Pentest Partners as Supply Chain Fears Grow

The post What is Employee Monitoring? Full Guide to Getting It Right appeared first on eSecurity Planet.

One such solution is behavioral analytics, more specifically User and Entity Behavior Analytics (UEBA). UEBA utilizes algorithms and machine learning to track anomalous behavior not just from users within a certain network but also the routers, servers, and endpoints making up that network. UEBA has been growing for some time, and a 2022 Market Data Forecast report predicts its global market size to grow from $890.7 million in 2019 to $1.1 billion by 2025. UEBA is also increasingly becoming a feature in core cybersecurity products like SIEM and EDR so it’s growing in ways that standalone market figures don’t completely capture.

However impressive these numbers may be, they don’t answer the question of whether UEBA actually works as promised to stop cybersecurity threats. Moreover, what about other behavioral analytics methods in cybersecurity? How much good can those accomplish? So, those are some of the questions we’re hopefully going to answer today.

Want to Find the UEBA Solution That’s Right for You? Check Out Best User and Entity Behavior Analytics (UEBA) Tools for 2022

What Is Behavioral Analytics?

Despite the name evoking images of psychological or sociological analyses, behavioral analytics’ origins cannot be found in academia but in the worlds of business and statistics. Behavioral analytics is essentially a subgenre of business analytics, the iterative investigation of past business performance to generate insight when making decisions.

There are a number of different ways to perform this sort of investigation. Whether it’s studying the performance of your direct competitors, using predictive analytics to determine what the future may hold for your industry, or analyzing employee performance and making optimization decisions based on that information, the entire point is to take data in and use it to make better-informed decisions.

Behavioral analytics specifically combines machine learning and big data analytics in concert to take in users’ behavioral data and identify trends, anomalies, and patterns based on this data. “Users” in this case can mean your employees, your customers, or just anyone who directly interfaces with your business and your business’s data on a regular enough basis to generate patterns.

A common use case for behavioral analytics is on eCommerce or media platforms. From the Netflix algorithm that provides you with recommendations on what to watch next based on what you’ve already watched to a meal-delivery platform like GrubHub or DoorDash offering you restaurant-specific discounts based on your ordering history, there are a number of ways that companies leverage your past activity on their platforms to generate insights and predictions in order to keep you spending money with them.

Interested in Seeing What Else Machine Learning Is Doing in Cybersecurity? Read Hyperautomation and the Future of Cybersecurity

Why Use Behavioral Analytics in Cybersecurity?

Data gathering and analysis can be beneficial in cybersecurity too of course. Information is one of the most powerful tools users and enterprises have when combatting data breaches, leaks, and data loss.

Additionally, behavioral analytics is uniquely-suited to the goals of many organizations’ cybersecurity plans. Cybercriminals, much like criminals in the physical world, tend to look for the path of least resistance when infiltrating an area. In the world of cybersecurity, the path of least resistance has consistently been shown to be the human element, specifically user accounts with enough access privileges or credentials for the cybercriminal to execute their plan.

According to a 2020 study conducted by the Ponemon Institute and sponsored by IBM Security, 40% of what the study calls “malicious incidents” occurred due to stolen/compromised employee credentials or cloud misconfigurations. Compromised employee account login information was also the costliest infection vector for enterprises. On average, malicious incidents cost companies $3.86 million per breach according to the study, but when stolen credentials were involved, that number jumped to $4.77 million.

By tracking user behavior, as well as anomalies within other parts of a network like servers or routers, companies have more opportunities to stop a data breach before it happens and potentially help save a business millions of dollars. This is part of the common sales pitch of top companies within the UEBA space like Cynet, IBM, Splunk, or Microsoft, but as with any cybersecurity offering, the technology isn’tt foolproof.

Does UEBA Actually Work?

Many companies tout their UEBA product as being “accurate.” This is common with software that utilizes machine learning or AI algorithms for classification purposes. For example, if a UEBA solution sounds the alarm on 10 anomalous instances in a day, and even 1 of them turned out to be a cybersecurity threat, the solution could be described as being able to accurately predict potential threats. Accuracy is absolutely important, but it isn’t the only measurement needed for success with machine learning. Precision, how often a model identifies true positives instead of false positives, is just as vital.

For UEBA specifically, false negatives or, more accurately, the lack of false negatives is often the most most important metric of all. Producing a number of false positives (being imprecise) is often preferable than allowing a false negative to slip by and cause your business to potentially lose millions. So, how good is UEBA at avoiding false negatives? The short answer is: “it’s complicated.”

In 2019, researchers from Southern Methodist University conducted a study using behavioral analytics algorithms on network traffic to detect DDoS attacks. In their findings, the performance of these algorithms varied wildly by type. Random Forest was the most accurate type of algorithm discussed, scoring 99% in both accuracy and precision. Meanwhile, Naive Bayes scored a dismal 26% in accuracy and 66% in precision.

The type of anomaly being detected also affected performance. While most algorithms performed well against the HULK DDoS tool, none of them were able to accurately identify bot-generated DDoS attacks. This might be due in part to the small sample size of bot attacks that researchers had access to, however.

A 2018 paper published by the Institute of Electrical and Electronics Engineers (IEEE) highlights a specific flaw with UEBA: 

“The negative part of applying machine learning in UEBA is the same drawbacks that any machine learning brings. Machine learning has limitations dealing with privileged users, developers, and knowledgeable insiders. Those users represent a unique situation because their job functions often require irregular behaviours. This cause[s] difficulties for statistical analysis to create a baseline [for] the algorithms. Another drawback is that UEBA can’t indicate the long-term sophisticated ‘low and slow’ as attacks because they [do] not have day to day impact and become as if non-existent.”

In other words, UEBA, like other machine learning-based solutions, is at its best when the tasks it is trying to accomplish are simple, predictable, and have easy-to-identify patterns. Users who need to operate in harder-to-predict patterns, like developers or executives or subject matter experts, will give UEBA a tougher time.

David Movshovitz, co-founder and CTO of Israeli cybersecurity firm RevealSecurity, told eSecurity Planet:

“In classical UEBA, you try to look at each operation by itself… You try to learn statistical quantities like… ‘the average number of emails you send’… We claim that this average is a mathematical quantity but has no meaning from a real behavior perspective… And if I may, I would give an example. I would talk about myself as a CTO. There are days where I am busy preparing a presentation. So, very few emails, working mainly with [Microsoft] Office. Other days, I’m working on some bug in the product, and then I will rarely do emails, don’t touch files, only working on the system, on the logs, analyzing…”

It should be noted, however, that Movshovitz is shunning UEBA in favor of his company’s own behavioral analysis product which, according to them, better tracks cybersecurity threats by building what they call “user journeys.” User journeys essentially track the sequencing of user actions to provide what they claim is a more accurate picture of potential cybersecurity threats. This is in contrast to UEBA, which generally treats each user action as its own individual data point laid out on a timeline.

When asked for data to support the company’s claims of superior performance, Movshovitz replied:

“This is not a theoretical claim. We have working systems on customers’ business applications, on-prem, custom-built, and SaaS, and I can give you numbers. For example, we are monitoring a Salesforce application on one of the large insurance companies in Israel, and because we are layering these profiles, we are generating about one alert once a week or even once every two weeks… We are monitoring Microsoft 365 users by a very large bank in Europe… and we are generating about 10-12 alerts a week, something like once or twice a day.” 

Although RevealSecurity didn’t provide data to support its approach, Movshovitz’s criticisms of UEBA have some validity. While good at detecting certain types of threats like DDoS attacks, the more it deals with actual human users whose on-network activities can vary wildly between days, the less effective it becomes. For some types of businesses, this won’t be an issue. For others, it can be a complete dealbreaker.

Essentially, UEBA can work, but it won’t necessarily work as a one-size-fits-all solution to your cybersecurity threat detection needs. Like other human-facing AI products like chatbots, it struggles to provide meaningful insight when confronted with situations outside of its expected datasets, situations which human users can provide all too often. However, using UEBA in concert with other solutions, as well as expert staff, can make it a relatively effective tool in the right scenarios.

Want to Learn More About Some of the Best Cybersecurity Solutions Out There? Take a Look at eSecurity Planet’s 2022 Cybersecurity Product Awards

Should You Use Behavioral Analytics?

There is some discussion to be had regarding the ethical considerations surrounding behavioral analytics in cybersecurity. UEBA can run into some of the same issues that other cybersecurity solutions, such as employee monitoring, do and are compounded by the use of AI and machine learning as part of its product.

To focus on the cybersecurity aspect first, there is the problem of what data your UEBA solution is taking in. If it’s just data collected during the user’s work hours or while they are using company hardware/software, it’s probably fine as long as you make that monitoring clear to the user in advance. Transparency is key whenever you’re collecting user data. As long as the user is fully aware of what data is being collected and what that data is being used for, it’s much easier to develop trust with that user.

Now, let’s turn to the ethical problems AI and machine learning specifically can bring into the mix. This quote from a 2021 ScienceDirect article discussing ethical guidelines within a hypothetical AI insurance system sums it up nicely: “The AI system is often treated as a discrete technical system or even as a black box, which presents an almost intractable problem because it is so complicated and therefore difficult to explain.”

The “black box” problem, as it’s called, is common in the AI space and directly relevant to UEBA and UEBA-related products. In fact, RevealSecurity co-founder and CEO Doron Hendler stated in a 2021 interview with IsraelDefense that his company’s dream for its product was “to have a black box where you can upload your logs and receive answers.”

Black box solutions are difficult to effectively deploy in cybersecurity. While users can usually view the input and output of a black box, the internal processes are obscured, and this obscurity harms the trustworthiness of the product. While a security vendor may rightly wish to protect the proprietary information and intellectual property contained in a black box solution, transparency is often the best way to assure employees, customers, and any others who interface with your network that your cybersecurity technology is not potentially being used to abuse the people it’s meant to monitor. It’s also best for customers in a market where some reports show 90% of buyers aren’t getting the effects they were promised. 

Tips for Implementing Behavioral Analytics in Cybersecurity

To understand how to implement behavioral analytics in cybersecurity, a good place to start is to first understand the ways in which UEBA is different from another popular form of analytics: cohort analytics.

Cohort analytics can look very similar to UEBA at first blush. It takes data from product or service usage, like a streaming or eCommerce platform, and organizes that data into a series of groups based on related characteristics. Called cohorts, these groups are usually measured by their shared common characteristic over a specified length of time, such as what time of day Netflix users aged 18-49 tend to watch TV shows vs. what time of day they tend to watch movies.

The key differences between cohort analysis and UEBA are twofold. First, cohort analysis is typically used in marketing and advertising circles, and its success or failure will not entirely sink a business. By contrast, UEBA being used in cybersecurity makes it more essential to keeping the company afloat by hopefully preventing damaging data breaches.

Second, UEBA tends to be a bit more granular in the way it parses data. UEBA is focused on detecting anomalies and tracking patterns that don’t conform to whatever statistically-expected patterns are set for it. So while it might group things together based on specific characteristics like login time or time spent within a certain application.

In terms of implementation, data collection is key to making effective use of UEBA. Pairing it with big data analytics can be a great way to boost UEBA capabilities. UEBA relies on machine learning and AI to process and analyze the datasets it is given, and the more data it has, the better it can find patterns and anomalies that might otherwise escape notice, similar to SIEM systems that have begun storing log and security data in data lakes.

Next, make sure you have experts in both machine learning and cybersecurity working together to manage your UEBA solution. Whether it’s a platform bought from a major enterprise or one of the many great open source machine-learning tools available, the best way to maximize the benefits of UEBA is to make sure you have the best people you can find working on it and fine-tuning it.

Finally, be flexible. Cybercriminals are, naturally, trying to avoid detection the best they can, and like any good criminals, they’re constantly evolving their methods and looking for new vulnerabilities to exploit. As such, it’s important that you be open to reiterating your detection and analytical methods whenever necessary to stay as far ahead of hackers as you can. Make sure UEBA is backed up by other cybersecurity solutions and experts to ensure your data is as safe as possible.

Looking for More Cybersecurity Resources? Check Out Top Endpoint Detection & Response (EDR) Solutions in 2022

The post Behavioral Analytics in Cybersecurity: Does It Work as Advertised? appeared first on eSecurity Planet.

Businesses are also at risk of fraud attempts. PwC’s 2022 Global Economic Crime and Fraud Survey reported that 46% of surveyed organizations experienced corruption, fraud, or other economic crimes in the 24-month survey period. 52% of companies with more than $10 billion in revenue were hit with fraud.

Since the beginning of the COVID-19 pandemic, businesses have responded to fraud by adopting new tools and strategies to combat the ever-evolving threat. For example, Experian’s 2021 Global Identity and Fraud Report stated that 82% of surveyed businesses had adopted customer recognition strategies.

Table of Contents

• Why Use Fraud Management and Detection Tools?
  • What Is Fraud Management and Detection?
  • Who Benefits Most From Using Fraud Management and Detection Tools?
• Best Fraud Management Systems & Detection Tools
  • Fraud.net
  • SAS
  • LexisNexis Risk Solutions
  • Sift
  • ClearSale
  • Forter
  • Riskified
  • Signifyd
  • FraudLabs Pro
  • TransUnion

Why Use Fraud Management and Detection Tools?

What Is Fraud Management and Detection?

One of the best ways to fight fraud is by detecting it early, such as through fraud detection software and tools. Also called “fraud prevention tools,” these solutions are designed to enhance and aid in the analysis, detection, and management of fraud and other illicit activities across all aspects of a business.

From customers to products to processes, these solutions allow companies to track and analyze user behaviors at the application level, as opposed to the system or network level, in order to better detect fraud as early as possible. It can monitor related users’ behavior to better track down potential organized criminal activity, corruption, and misuse. Finally, it also is useful for companies looking for a governance, risk, compliance (GRC) solution.

Who Benefits Most From Using Fraud Management and Detection Tools?

Which businesses benefit most from using fraud management solutions are the same businesses who are most at risk for these sorts of crimes. In its 2021 Threat Force Intelligence Index, IBM reported that manufacturing and financial services were the two industries most at risk for attack, making up 23.2% and 22.4% of attacks IBM handled, respectively.

Banks, financial services, and insurance companies are especially vulnerable to fraud due to their access to large amounts of money and sensitive information for customers and employees alike.

The healthcare industry is a similarly high-value target thanks to the incredibly sensitive personal details they keep on patients and customers. According to a report by the United States Sentencing Commission, the median loss of healthcare fraud in 2021 was over $1 million per infraction. The high cost of healthcare in the United States also makes it a likely target for fraud.

Real estate organizations have become fast-rising targets of fraud. According to SEON’s Industry Fraud Index, real estate saw a 26.8% increase in fraud reports. That same index marks utilities as one of the most lucrative fraud targets, with a median loss of $163,000.

Government organizations are arguably the most at risk of fraud attempts. According to FTC findings in 2019, government impostor fraud was the most-reported type of fraud. 2021 FTC statistics show that government impostor fraud has resulted in $227.45 million in losses. 

Want to learn more? Take a look at What Is Cybersecurity Risk Management?

Best Fraud Management Systems & Detection Tools in 2022

In our analysis and review of the fraud prevention, detection and management market, a number of providers stood out. Here are the top 10, in our analysis.

1. Fraud.net

Based out of New York, Fraud.net’s cloud-based APIs leverage AI-powered risk intelligence to provide clients with high-powered analysis and monitoring services and potentially prevent fraud attempts before they can get ahold of your money and data.

Fraud.net offers fraud management and prevention solutions for multiple different types of fraud, such as synthetic identity fraud, account takeover, business email compromise (BEC), call center fraud, and more. Fraud.net offers specific solutions for a number of industries, including gaming, financial services, and eCommerce, as well as government organizations.

The tools provided by Fraud.net’s platform are user-friendly and are excellent at blocking fraud transactions from fully processing. They’re also useful for background checks, data analytics, and data mining. Data analytics in particular is great with Fraud.net, offering users a live feed of data and analysis to better monitor and understand potential fraud risks.

Overall, Fraud.net is a solid choice for businesses looking for a comprehensive, easy to use fraud detection and management solution.

2. SAS

With nearly 50 years in the tech industry, SAS’s range of data products is staggering in its breadth. So of course, they have a fraud management solution to go along with the rest of their suite of software and solutions.

SAS Fraud Management is a single-platform, multi-departmental solution through which interested organizations can collect and analyze data using embedded machine learning models and a simple, easy-to-learn data management interface. By centralizing fraud detection across multiple departments, the platform is better able to detect fraud attempts, communicate the proper alerts to the right personnel, and hopefully keep your data and money safe.

Though powerful, the system isn’t perfect. As the volume of data collected increases, users may experience slower processing times than they expect. In time-sensitive environments such as cybersecurity and fraud prevention, time is an essential resource. As such, companies attempting to deploy this platform at-scale should be aware of the processing challenges they might face.

Looking for more ways to protect your company’s data? Take a look at Top Secure Email Gateway Solutions for 2022

3. LexisNexis Risk Solutions

Previously known as ThreatMetrix, LexisNexis Risk Solutions offers industry-leading data analytics and risk management solutions. The firm’s technology is used in a number of industries, including financial services, healthcare, and insurance, as well as government organizations.

LexisNexis Risk Solutions’ platform combines digital identity intelligence, behavioral analytics, external data source, case management, and machine learning to craft a top-flight fraud and risk management experience with which businesses can make better, more informed decisions.

Through this platform, companies can also implement a number of cybersecurity measures including multi-factor authentication, biometrics, and device binding to better protect their employees and their data.

Insurance companies using the LexisNexis Risk Solutions ought to be aware that the Better Business Bureau has received numerous recent reports alleging fraudulent credit reporting, and the firm currently holds a C- rating with the Bureau.

4. Sift

With Sift, businesses have access to a digital trust and safety platform with a varied suite of solutions. This platform has been used by a number of prominent companies, including McDonald’s, DoorDash, Wayfair, Pateron, and Twitter.

Notable features Sift’s safety suite boasts include passwordless authentication, account defense measures like two-factor authentication, payment protection, and content integrity analysis. Through these features and more, businesses can keep their data safe and secure.

Sift’s analytics features are also incredibly sophisticated, allowing clients to get the best possible picture of their data intake and how to detect and prevent fraud attempts.

However, the UI can be a little complicated for some users, with certain tools and features seemingly not covered by Sift’s training kit. This makes Sift a less-than-ideal solution for companies without a strong enough IT department to manage the platform for less tech-savvy employees.

Losing data due to fraud and other complications can be tough. If you want to keep your data more secure, take a look at Top Data Loss Prevention (DLP) Solutions

5. ClearSale

Specifically targeted at the eCommerce market, ClearSale’s platform provides a number of industry-leading fraud management and prevention software tools. Notable clients include UnderArmour, Asus, Office Depot, and Timex, among others.

ClearSale has created solutions designed to benefit both small-to-midsize businesses and large enterprises alike. Companies with their own in-house fraud teams can also have their capabilities boosted by ClearSale’s platform.

Thanks to ClearSale, businesses can more efficiently process orders while keeping themselves safe from attempted fraud. Notably, users can track purchases through the platform and mark specific suspicious purchases as chargebacks to cut off certain fraud attempts at the beginning. ClearSale’s platform can also analyze data such as month-to-month transaction volumes, month-to-month approval rates, and chargeback rates. These data analytics can also be exported to a Microsoft Excel spreadsheet.

One point of contention with ClearSale is the way it handles order approval. Many fraud prevention solutions utilize scoring and filters to best determine which transactions are most likely to be fraudulent. ClearSale, however, simply approves or denies each order. While simplified, this binary treatment of transactions can lead to customer dissatisfaction as their legitimate orders are marked as potentially fraudulent and declined with little reason given as to why.

Overall, ClearSale is a solid solution for eCommerce businesses looking for a fraud prevention solution.

6. Forter

Forter is a fraud prevention and protection solution for the digital commerce market. Through Forter, businesses can streamline account-level authentication, reduce false declines, and prevent loss from abusive customer practices like attempting to use a promotional code multiple times.

Forter also implements machine learning into its platform to provide speedy, scalable automated decision-making. Its smart payments solutions can recover legitimate transactions that might have been incorrectly denied during the payments process. This can greatly improve customer satisfaction and minimize losses.

The platform is not without its flaws however. The pricing options can make Forter’s solutions unideal for smaller businesses, and the automated decision-making process can be opaque, making it difficult for clients to fully understand why certain choices were made.

7. Riskified

Riskified offers an all-in-one eCommerce fraud detection solution specifically designed for enterprise-level businesses or businesses who process high volumes of transactions. The firm also offers a 100% chargeback protection guarantee on each and every order.

Another notable service Riskified provides allows companies to convert declined orders into proper sales, building customer satisfaction and revenue at the same time. The firm’s machine learning models can help identify the legitimacy of online buyers.

That said, users attempting to use the company’s second look feature might encounter some trouble. The platform’s PayPal integration is still a work in progress, as well. If your business makes significant use of PayPal, it might be best to find a solution with better integration with the service.

That said, Riskified is still a top-quality choice for eCommerce organizations operating at the enterprise level looking for an effective fraud prevention solution.

A great way to protect against fraud is through rigorous employee training. Take a look at the Best Cybersecurity Awareness Training for Employees in 2022.

8. Signifyd

With Signifyd, businesses can implement order automation while remaining in control of the overall process. Its insight reporting solution offers the ability to build custom data visualization and reports to better keep track of your data and make more informed business decisions. Its abuse protection services can reward customer loyalty while thwarting abuses like one customer using a promotional code multiple times.

The Decision Center allows clients to better define how fraud attempts and abuses are blocked by the system. The fraud protection aspect of the platform leverages machine learning models to deliver automated order decisions. Interested companies can opt for Guaranteed Business Protection to obtain a 100% financial guarantee against fraud on all approved orders. Its account protection features build an ever-growing profile of shoppers within the network to detect abnormalities and stop fraud attempts as quickly as possible.

However, order denial can be slightly draconian in its implementation. For example, an order can be denied simply because the email address attached to the order belongs to a relative of the cardholder and not the cardholder themselves. Its machine learning models can fall into the same “black box” problem many enterprise-level AI services deal with, making it difficult for your human staff to determine why an order was denied.

9. FraudLabs Pro

FraudLabs Pro’s fraud prevention solution screens every single order client companies process and provides a score which allows businesses to better understand the risks associated with approving or rejecting an order.

FraudLabs Pro’s validation rules are notable for their high customizability, with over 40 validation rules for interested organizations to tweak and configure to best fit their specific needs. Its machine learning algorithm learns patterns of fraud with each approval and rejection you make.

FraudLabs Pro also provides access to its Merchant Network, providing more data for companies to feed into their machine learning models.

Unfortunately,  interested companies might encounter issues with the firm’s customer service response times, making it less than ideal for companies who lack an IT department capable of consistently troubleshooting issues themselves.

10. TransUnion

TransUnion offers a variety of products related to the field of credit scoring, and fraud detection and prevention certainly makes its mark in that offering list. Its TruValidate platform contains a fraud alerts feature that allows companies to access datasets with a global reach to build fraud and risk alerts based on public, device, and credit data. This allows companies to take a proactive approach to defending themselves against fraud.

TruValidate provides identity proofing, fraud analytics, and risk-based authentication to ensure a more secure relationship between businesses and their customers. Through TruValidate, clients have access to a number of risk-based authentication, including device-based authentication, knowledge-based authentication, and one-time passcodes.

Fraud analytics models can be customized and developed with your organization’s specific needs in mind with over 6,000 variables to choose from in the development process. Synthetic identity theft in particular can be thwarted by TransUnion models before the fraudster has a chance to escape with their ill-gotten gains.

Read Next: The Scammers’ Playbook: How Cybercriminals Get Ahold of Your Data

The post Best Fraud Management Systems & Detection Tools appeared first on eSecurity Planet.

A major focus of cybersecurity as an industry is its efforts to detect, root out, and respond to potential fraudsters attempting to trick companies and people out of their money, data, or both. To this end, some impressive technology has been created to combat the technological side of the issue, to keep hackers and similar bad actors from accessing data and account privileges they shouldn’t.

This made a lot of sense, especially in the earlier days of the Internet where cybersecurity measures were nowhere near as robust as they are today. However, the technological side of cybersecurity is no longer the weakest link in a company’s proverbial chain. Often, a scammer will simply target the people in a company and fool them into giving up their personal details, account passwords, and other sensitive information and gain access that way.

As a matter of fact, the most-reported crime in the 2021 Internet Crime Report report was phishing, a social engineering scam wherein the victim receives a deceptive message from someone in an attempt to get the victim to reveal personal information or account credentials or to trick them into downloading malware. Phishing complaints were reported over 300,000 times in 2021 to IC3, the only Internet crime to crack 100,000+ complaints.

There are dozens if not hundreds of types of scams out there, but we’re going to focus on the scams most likely to affect a business, such as phishing or business email compromise (BEC). Romance scams aren’t as likely to affect businesses so we’ll leave that one for “eSecurity Planet After Dark,” if we ever go there.

With all this in mind, let’s take a look at what a scammer does, who they target, and how to spot one trying to pick your metaphorical pockets.

Read More At: Most Organizations Do DMARC Wrong. Here’s How to Do It Right.

Table of Contents:

• Who Do Scammers Target and Why?
  • Individuals
  • Businesses
• What Are Common Tactics Scammers Use?
  • Technological Tactics
  • Social Tactics
• What Can You Do to Protect Against Internet Scammers?

Who Do Scammers Target and Why?

To talk about which targets scammers pick, we’ll be looking at two categories: individuals and businesses.

Individuals

The first thing to remember when dealing with scammers is that they are, ultimately, business professionals. They might not operate a legal business, they might be more unscrupulous than the average legitimate business professional, but business professionals and scammers can have a similar mindset. They’re often looking for the sources of income which offer the most profit for the least investment. Cybercriminals look for high ROI too, which is why frustrating them enough to force them to move on is often the goal of cyber defenses.

In search of the easier score, scammers have a tendency to go after older generations. In the 2021 FBI report, individuals over 60 years of age had the highest number of complaints of any age group with 92,371 and the highest amount of reported losses with $1.68 billion. Of the six age groups listed (under 20, 20-29, 30-39, 40-49, 50-59, 60-69), the three oldest age groups reported $4.13 billion in losses, 60% of the reported losses for the entire year.

So why do scammers go after older individuals more? Aside from ageist assumptions of mental enfeeblement or lower technological competence, it’s largely a matter of who has the most money. According to data from the Federal Reserve, the 55-69 age group currently controls 41.2% of the wealth in the United States as of Q1 2022, compared to 6.5% for individuals under 40. In fact, the 55-69 age group have had uninterrupted control of over 40% of the wealth in the U.S. since Q3 of 2007.

Business targets

For businesses small and large, target factors like age are replaced by type of industry and the sort of data they might contain. According to the 2021 IBM Threat Force Intelligence Index, Manufacturing was the industry most likely to be attacked last year, comprising 23.2% of cyber attacks IBM handled. Finance and insurance finished a close second at 22.4%.

Finance and insurance companies were particularly vulnerable to the sort of phishing scams we’re talking about. Phishing attacks made up 40% of all attacks in the sector. 70% of attacks were on banks.

The healthcare industry is another valuable target for scammers, thanks to the high volume of sensitive information that hospitals, private practices, pharmacies and the like can have on file for patients.

Energy and utility companies have been some of the most high-profile cyber attacks in recent memory, such as the May 2021 Colonial Pipeline attack or the Delta-owned Monroe Energy attack in November 2021. Given how lucrative and necessary both sectors are to daily life, they make prime targets for ransomware.

Government organizations combine the best of both the energy and healthcare industries for scammers, with government entities both having access to sensitive information and being necessary to the day-to-day lives of citizens. In 2020 alone, 79 ransomware attacks were conducted against government entities in the U.S., costing an estimated $18.88 billion.

Read More At: Top Secure Email Gateway Solutions for 2022

What Are Common Tactics Scammers Use?

This section will be divided into two parts. First, we’ll cover the technological side of cyber attacks, such as evading detection tools or digital reconnaissance techniques. Then, we’ll go over the basic, foundational techniques most scammers find themselves using, such as social engineering and phishing.

Technological tactics

The thing that defines cyber crime is the access scammers and other Internet criminals have to digital tools and solutions to exploit user and company data for their own ends. Malware like SharkBot can record your keystrokes and browser cookies to steal logins, ransomware can block access to data until victims pay the hackers their requested fee, hijack Internet browsers, and so much more.

Much like other fields of tech, cyber crime is also constantly evolving. When Microsoft blocked macros from running on untrusted files in Microsoft Office (a common point of entry for scammers), hackers were able to reformat and circumvent their malicious files and continue using that point of entry.

One particularly potent emergent technology for scammers is blockchain and the related cryptocurrency and NFTs. Blockchain supporters have touted it as a fraud prevention tool, but while blockchain can be useful in preventing certain kinds of attacks, it is incredibly vulnerable to others.

Cryptojacking, the practice of taking over a computer’s processes in order to mine cryptocurrency, is a popular method of blockchain-related fraud, often introduced via malicious links or by being directly installed on computers by someone with access. This variant of fraud has been around since at least 2011, when an Australian Broadcasting Corporation employee with high-level IT access privileges hijacked company computers to mine Bitcoin.

Other relatively recent technological innovations in the world of fraud include multi-factor authentication bypass via session cookie theft, the Lilith ransomware which can lock and encrypt Windows machines while stealing data for further extortion, and a new method to exploit Windows event logs through fileless malware to inject codes while evading detection.

Social Tactics

However, even with all the tools at their disposal, the scammer’s most useful tools are the simplest. Basic phishing and social engineering techniques are still the most common starting point for cyber attacks. Whether they’re getting you to trust or sympathize with them over the phone or simply scaring you into opening a malicious email, it’s important to recognize that and to try to be vigilant, especially when dealing with strangers.

Misleading or deceptive emails, as seen in phishing attempts, are one of the most popular methods of attack. Anyone reading this has likely received multiple fake emails from someone pretending to be representing a government institution or a social media platform or a healthcare provider, trying to fool you into clicking on a link to their malware-laden website or opening an infected attachment.

These emails will often try to take advantage of your fear of missing out (FOMO). They’re often marked “URGENT” in some way, shape, or form in order to drive up reader anxiety and force a click. This is the same trick business professionals might use to secure a sale (i.e. “There are only 10 of this product left so you should buy now before they’re gone!”). FOMO is a powerful emotion to exploit, and when dealing with these sorts of communications, it’s often best to delete them without reading if you have even the slightest doubt that the sender isn’t legitimate.

What Can You Do to Protect Against Internet Scammers?

When it comes to the personal side of cybersecurity, vigilance at all levels of an organization is key. While tools like email gateways and DMARC can do a lot to keep your email and data safe, there is no 100% foolproof technological solution to cybersecurity, which means the people in charge of the business must do their part in ensuring the company’s cybersecurity standards are being consistently met.

A common saying is “cybersecurity is a team sport,” and it is still true. If your company’s data is the proverbial money in your vault, everyone who has access to that data is a potential path to success for scammers. This means everyone needs to do their part in keeping the vault safe. Undergoing employee cybersecurity training is extremely helpful in establishing and maintaining the company-wide best practices necessary to keep everyone’s information as secure as possible.

Finally, It’s vital to remember that, even if you do successfully follow best practices and have excellent cybersecurity solutions, hackers and scammers might still find a way to gain access to sensitive information. When a scenario like that occurs, it’s important to have triage and backup procedures in place to minimize the overall damage a cyber attack can deal to your business.

Cybersecurity is one of the most vital parts of any organization in the modern business world. With how much data a company can process, whether in-house or from clients, the potential for exploitation by Internet criminals is high. Whether it’s through rock-solid cybersecurity training for employees, the latest in cybersecurity software and services, or some combination of the two, keeping your data and your customers’ data safe is an absolute necessity.

Further reading: Best Cybersecurity Awareness Training for Employees

The post The Scammers’ Playbook: How Cybercriminals Get Ahold of Your Data appeared first on eSecurity Planet.